tests: use a fixed SystemTime for certificate validation

cpu · cpu · commit 06f8735fb9f6 · 2024-01-03T13:06:34.000-05:00
Fixing the `SystemTime` that we pass to the certificate verifier for the
real world and mock verification tests will ensure that the tests don't
start to fail just because the vendored certificates have expired.
diff --git a/rustls-platform-verifier/src/lib.rs b/rustls-platform-verifier/src/lib.rs
@@ -4,6 +4,7 @@
 
 use rustls::ClientConfig;
 use std::sync::Arc;
+use std::time::{Duration, SystemTime};
 
 mod verification;
 pub use verification::Verifier;
@@ -71,3 +72,12 @@ pub fn tls_config() -> ClientConfig {
 pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::ServerCertVerifier> {
     Arc::new(Verifier::new_with_fake_root(root))
 }
+
+/// Return a fixed [SystemTime] for certificate validation purposes.
+///
+/// We fix the "now" value used for certificate validation to a fixed point in time at which
+/// we know the test certificates are valid. This must be updated if the test certificates
+/// are regenerated.
+pub fn verification_time() -> SystemTime {
+    SystemTime::UNIX_EPOCH + Duration::from_secs(1_704_304_988)
+}
diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs
@@ -23,6 +23,7 @@
 use super::TestCase;
 use crate::tests::assert_cert_error_eq;
 use crate::verification::{EkuError, Verifier};
+use crate::verification_time;
 use rustls::{client::ServerCertVerifier, CertificateError, Error as TlsError};
 use std::convert::TryFrom;
 use std::net::IpAddr;
@@ -95,7 +96,7 @@ pub(super) fn verification_without_mock_root() {
         &server_name,
         &mut std::iter::empty(),
         &[],
-        std::time::SystemTime::now(),
+        verification_time(),
     );
 
     assert_eq!(
@@ -289,7 +290,7 @@ fn test_with_mock_root<E: std::error::Error + PartialEq + 'static>(test_case: &T
         &server_name,
         &mut std::iter::empty(),
         test_case.stapled_ocsp.unwrap_or(&[]),
-        std::time::SystemTime::now(),
+        verification_time(),
     );
 
     assert_cert_error_eq(
diff --git a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs
@@ -42,7 +42,7 @@
 //! Thus we don't expect these tests to be flaky w.r.t. that, except for
 //! potentially poor performance.     
 use super::TestCase;
-use crate::{tests::assert_cert_error_eq, Verifier};
+use crate::{tests::assert_cert_error_eq, verification_time, Verifier};
 use rustls::{client::ServerCertVerifier, CertificateError, Error as TlsError};
 use std::convert::TryFrom;
 
@@ -145,7 +145,7 @@ fn real_world_test<E: std::error::Error>(test_case: &TestCase<E>) {
             &server_name,
             &mut std::iter::empty(),
             stapled_ocsp,
-            std::time::SystemTime::now(),
+            verification_time(),
         )
         .map(|_| ());
 
